Every browser out there has its fan club. But Chrome is still the most popular by far, with over 63% of users preferring this browser over any other. It’s not hard to understand why – with all the handy features, extensions, and add-ons that Google offers.
That popularity and convenience come at a cost, though. Plenty of users also mean plenty of cyber thieves hellbent on targeting them. It also means a complicated system of third-party extensions and providers that can be exploited, which is exactly what’s happened – yet again.
Last month, researchers at Awake Security discovered over 106 malicious add-ons on the Google Chrome Web Store, amounting to over 32 million downloads. Meaning at least 32 million people have now had their data stolen. This doesn’t affect individual users either, but also companies who rely on Chrome for their daily communication, scheduling, and more.
Google has removed these extensions, but the damage is already done. Read on about this massive privacy violation issue, and what users can do to protect themselves from similar risks in the future.
Another Massive Privacy Invasion. What Happened?
The extensions in question were being used to siphon user data of all kinds, as well as to establish a foothold on corporate networks. The researcher said that they had analyzed over 100 networks across several industries, including financial services, retail, healthcare, and pharmaceuticals. Almost all of these networks were compromised.
Awake Security did publish a TSV list (i.e., raw spreadsheet data) detailing their discovery. But for the most part, these extensions were file converters or used to alert users of malicious websites.
In the findings published by the security research team, they revealed that the malicious extensions were part of a coordinated effort. Google responded by taking the extensions in question down, adding a statement saying: “When we are alerted of extensions in the Web Store that violate our policies, we take action and use those incidents as training material to improve our automated and manual analyses.”
However, it is troubling when core internet infrastructure used by billions, like Chrome, is compromised. And this isn’t the first time this has happened; not even the first time this year. In February, another security firm discovered over 500 malevolent Chrome extensions. These extensions were stealing user browsing data as well as redirecting users to malicious websites. Those have also since been removed.
How to Stay Away From Unnecessary Danger
While it’s almost impossible to avoid exposure to all of the threats out there, internet users and organizations can reduce their overall risk.
– Don’t download unnecessary extensions. As hard as this may be for some, only download necessary extensions. Sure they’re mighty convenient, but they also add a massive security concern that’s not worth the headache. Don’t trust it just because it’s on a reputable store like the Chrome Web Store.
– Properly review extensions. Verify the developer or company that created the extension, if possible. This isn’t always a guarantee that they’re legit, but it can’t hurt to be careful. If something looks off, or the developer doesn’t have a professional online presence, it’s best to skip it instead.
– Get a VPN. VPNs protect users by encrypting their connections so outsiders can’t steal their data. They also hide one’s IP so no one else but me knows what is my IP address. Find a VPN with servers nearby to avoid unnecessarily slowing the connection. Although many of the high-tier VPNs don’t slow network connections down to a noticeable degree regardless.
– Use a privacy browser. This might ruffle a few feathers because Chrome and Google’s other convenient apps have become so entrenched in how people do things. Making the switch to a lesser-known private browser can feel like a jarring experience, but it’s worth it in the long run. Private browsers put security first and are great for more than just added security. They provide more privacy as well, thanks to fewer trackers and less or no data siphoning.
Many speculate that malicious extensions are new malware. That might be true, but this has plagued Google for a long time. In 2018, the company vowed to increase its security and add more eyes to vet extensions properly. Yet cybercriminals still find a way around that by using loopholes and clever disguising. It doesn’t look like this problem will go away, so users need to take extra steps to protect themselves.